Mattermost Server vulnerabilities

CVE-2017-18892 [MEDIUM] CWE-116 CVE-2017-18892: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can ha An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.

CVE-2017-18904 [MEDIUM] CWE-79 CVE-2017-18904: An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an u An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.

CVE-2016-11062 [MEDIUM] CWE-732 CVE-2016-11062: An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypass An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.

CVE-2019-20872 [MEDIUM] CWE-918 CVE-2019-20872: An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.

CVE-2017-18891 [MEDIUM] CWE-601 CVE-2017-18891: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing beca An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.

CVE-2018-21257 [MEDIUM] CWE-862 CVE-2018-21257: An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended acce An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API.

CVE-2017-18889 [MEDIUM] CWE-20 CVE-2017-18889: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could creat An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.

CVE-2017-18907 [MEDIUM] CWE-79 CVE-2017-18907: An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.

CVE-2016-11076 [MEDIUM] CWE-295 CVE-2016-11076: An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.

CVE-2017-18896 [MEDIUM] CWE-732 CVE-2017-18896: An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.

CVE-2016-11075 [MEDIUM] CWE-200 CVE-2016-11075: An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive i An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.

CVE-2018-21253 [MEDIUM] CWE-732 CVE-2018-21253: An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use th An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4.10.2. An attacker could use the invite_people slash command to invite a non-permitted user.

CVE-2016-11082 [MEDIUM] CWE-79 CVE-2016-11082: An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link. An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.

CVE-2017-18910 [MEDIUM] CWE-732 CVE-2017-18910: An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications ca An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links.

CVE-2017-18890 [MEDIUM] CWE-20 CVE-2017-18890: An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker t An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.

CVE-2019-20882 [MEDIUM] CWE-276 CVE-2019-20882: An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.

CVE-2017-18901 [MEDIUM] CWE-200 CVE-2017-18901: An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.

CVE-2018-21254 [MEDIUM] CWE-732 CVE-2018-21254: An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access cont An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command.

CVE-2019-20889 [MEDIUM] CWE-276 CVE-2019-20889: An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles per An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.

CVE-2018-21256 [MEDIUM] CWE-732 CVE-2018-21256: An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended acce An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command.